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June 25, 2010 

The President 
The White House 
Washington, DC 20500 

Dear Mr. President: 




I am pleased to submit the Information Security Oversight Office’s (ISOO) Report on Cost Estimates for 
Security Classification Activities for Fiscal Year 2009. 

This report provides information on the cost estimates of the security classification program as required 
by Executive Order 13526, “Classified National Security Information.” It provides statistics and analysis 
concerning key components of the system from 41 Executive branch agencies. It also contains cost 
information with respect to industrial security in the private sector as required by Executive Order 12829, 
as amended, “National Industrial Security Program.” The cost estimates from the Central Intelligence 
Agency, the Defense Intelligence Agency, the Office of the Director of National Intelligence, the National 
Geospatial-Intelligence Agency, the National Reconnaissance Office, and the National Security Agency, 
are compiled in a classified addendum to this report that is being transmitted separately. 

With the issuance of Executive Order 13526, there is a strong need for an increased emphasis on 
“Professional Education, Training, and Awareness,” and as stated last year, this area will require additional 
investment. Positive developments were reported by the agencies concerning the “Classification 
Management” and “Security Management, Oversight, and Planning” categories. The increased attention 
reported in these areas must be sustained and even increased since they are crucial to the efficient 
and effective implementation of Executive Order 13526. The agencies also reported a modest, but 
welcome increase in spending on declassification programs. Sustaining and increasing investment in 
declassification is necessary to maintain the classification system and is fundamental to the principles of 
transparency, participation, and collaboration. 

A responsible and efficient security classification program requires commitment, diligence, and integrity. 
It is of particular importance that the classification system be implemented in a manner that makes for 
the most efficient and effective use of the finite resources available to departments and agencies. As 
ISOO oversees the trends in this system, we will continue to focus on enhancing the policy and guidance 
to this end. 




Director 

Enclosure 

cc: General James E. Jones, USMC, Ret. 

Assistant to the President for National Security Affairs 





2009 REPORT TO THE PRESIDENT 

Cost Estimates for Security Classification Activities 



Background and Methodology 

The Information Security Oversight Office (IS 00) 
reports annually to the President on the estimated costs 
associated with agencies’ implementation of Executive 
Order (E.O.) 13526, "Classified National Security 
Information," and E.O. 12829, as amended, "National 
Industrial Security Program.” 

ISOO relies on the agencies to estimate the costs of the 
security classification system. Requiring agencies to 
provide exact responses to the cost collection efforts would 
he cost prohibitive. The collection methodology used in 
this report has consistently provided a good indication of 
the trends in total cost. It is important to note that absent 
any security classification activity, many of the expenditures 
reported would continue to be made in order to address 
other, overlapping security requirements. 

The Government data presented in this report were 
collected by categories based on common definitions 
developed by an Executive branch working group. The 
categories are defined below: 

Personnel Security: A series of interlocking and mutually 
supporting program elements that initially establish a 
Government or contractor employee's eligibility and ensure 
suitability for the continued access to classified information. 

Physical Security: That portion of security concerned 
with physical measures designed to safeguard and protect 
classified facilities and information, domestic or foreign. 

Information Security: Includes four subcategories: 

Classification Management: The system of 
administrative policies and procedures for identifying, 
controlling, and protecting classified information from 
unauthorized disclosure, the protection of which is 
authorized by Executive order or statute. Classification 
Management encompasses those resources used to 
identify, control, transfer, transmit, retrieve, inventory, 
archive, or destroy classified information. 

Declassification: The authorized change in the status of 
information from classified information to unclassified 
information. It encompasses those resources used 
to identify and process information subject to the 



automatic, systematic, and mandatory review programs 
established by E.O. 13526, as well as discretionary 
declassification activities and declassification activities 
required by statute. 

Information Systems Security for Classified 
Information: An information system is a set of 
information resources organized for the collection, 
storage, processing, maintenance, use, sharing, 
dissemination, disposition, display, or transmission of 
information. Security of these systems involves the 
protection of information systems against unauthorized 
access to or modification of information, whether in 
storage, processing, or transit; and against the denial of 
service to authorized users, including those measures 
necessary to detect, document, and counter such threats. 
It can include, but is not limited to, the provision of all 
security features needed to provide an accredited system 
of computer hardware and software for protection 
of classified information, material, or processes in 
automated systems. 

Miscellaneous: Includes two subcategories: 

Operations Security (OPSEC): Systematic and 
proven process by which potential adversaries can be 
denied information about capabilities and intentions 
by identifying, controlling, and protecting generally 
unclassified evidence of the planning and execution 
of sensitive activities. The process involves five 
steps: identification of critical information, analysis of 
threats, analysis of vulnerabilities, assessment of risks, 
and application of appropriate countermeasures. 

Technical Surveillance Countermeasures (TSCM): 
Personnel and operating expenses associated with the 
development, training and application of technical 
security countermeasures such as non-destructive and 
destructive searches, electromagnetic energy searches, 
and telephone system searches. 

Professional Education, Training, and Awareness: 

The establishment, maintenance, direction, support, and 
assessment of a security training and awareness program; 
the certification and approval of the training program; 
the development, management, and maintenance of 
training records; the training of personnel to perform 
tasks associated with their duties; and qualification and/ 
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or certification of personnel before assignment of security 
responsibilities related to classified information. 

Security Management, Oversight, and Planning: 
Development and implementation of plans, procedures, 
and actions to accomplish policy requirements, develop 
budget and resource requirements, oversee organizational 
activities, and respond to management requests related to 
classified information. 

Unique Items: Those department specific or agency 
specific activities that are not reported in any of the 
primary categories but are nonetheless significant and 
need to be included. 

Survey Results and 
Interpretation ' Government 

The total security classification cost estimate within 
Government for Fiscal Year (FY) 2009 is $8.81 billion. 
This figure represents estimates provided by 41 executive 
branch agencies, including the Department of Defense 
(DoD). It does not include the cost estimates of the Central 
Intelligence Agency, the Defense Intelligence Agency, 
the Office of the Director of National Intelligence, the 
National Geospatial-Intelligence Agency, the National 
Reconnaissance Office, and the National Security Agency. 



The cost estimates of these agencies are classified in 
accordance with Intelligence Community classification 
guidance and are included in a classified addendum to this 
report. The total security classification costs for Executive 
branch agencies increased $176.65 million in FY 2009, an 
increase of 2 percent from FY 2008. 

For FY 2009, agencies reported $1.21 billion in 
estimated costs associated with Personnel Security, an 
increase of $116.75 million, or 11 percent. This was 
mainly due to an increased number of background 
investigations for new personnel, as well as periodic 
reinvestigations for current employees. 

Estimated costs associated with Physical Security were 
$1.28 billion, a decrease of $8.23 million, or 1 percent 
decrease, from EY 2008. Most decreases in costs were due 
to completion of projects begun in EY 2008. 

Estimated costs associated with Information Security were 
$4.77 billion. Information Security continues to be the main 
driver of all the costs, representing 54 percent of the total 
security classification costs for EY 2009. There are four 
subcategories within Information Security: Classification 
Management, Declassification, Information Systems Security 
for Classified Information, and Miscellaneous (OPSEC 
and TSCM). Of these four subcategories. Information 
Systems Security for Classified Information continues to be 
the most costly, at $4.26 billion, or 89 percent of estimated 
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costs for Information Security. Classification Management 
costs showed an increase of $27.46 million, or 8 percent; 
Declassification costs increased $1.92 million, or 4 percent; 
Information Systems Security costs decreased $74.51 million, 
or 2 percent; and Miscellaneous costs, which include 
OPSEC and TSCM, increased $15.99 million, or 18 percent. 
Overall, Information Security decreased $29.14 million, a 
1 percent decrease. 

The FY 2009 estimated costs for Professional Education, 
Training, and Awareness were $226.11 million, a 
$17.32 million, or 7 percent decrease in costs from FY 2008. 
Overall, the majority of agencies increased their costs for 
the development of new training programs; however, some 
agencies completed projects carried over from FY 2008, thus 
driving down the overall costs in this category. 

Estimated costs associated with Security Management, 
Oversight, and Planning were $1.3 hillion. The costs for 
FY 2009 increased $107.65 million, a 9 percent increase 
over the FY 2008 costs. 

Although costs associated with Unique Items increased 
hy $6.94 million, or 79 percent, this category continues 



to he the smallest at $15.73 million, less than 1 percent of 
the total. The increase for FY 2009 was primarily due to 
installation and upgrades of secure equipment needed for 
communication security (COMSEC) offices and Sensitive 
Compartmented Information Facilities (SCIF). 

The three smaller suhcategories of Information Security 
are Classification Management, Declassification, and 
Miscellaneous (OPSEC and TSCM). In FY 2003, the first 
year that all three suhcategories were reported, they comprised 
5.12 percent of the total Government security classification 
costs and in FY 2009 they composed 5.81 percent. From 
FY 1998, the first year Declassification costs were 
reported as a separate subcategory, through FY 2009, 
Declassification costs have decreased by $155 million. 

They have decreased by $188.53 million from the high of 
$233.18 million of 1999. However, in FY 2009, spending 
on Declassification increased by 4 percent. Despite this 
increase. Declassification costs make up just over .5 percent 
of the total security classification costs. Classification 
Management costs continue to increase slightly each year. 
From FY 1995 through FY 2009, these costs have increased 
by $49 million. In FY 2009, Classification Management 
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Information Security Costs FY 1995 - FY 2009 




*Prior to 1998, Declassification costs were included in Classification Management costs. 
*Prior to 2003, Miscellaneous (OPSEC and TSCM) costs were not reported. 



increased $27.46 million, an 8 percent increase. OPSEC and 
TSCM costs have increased $91 million since they began to 
he reported as a separate suhcategory in FY 2003. 

Information Systems Security for Classified Information has 
been the most costly subcategory of Information Security, 



comprising more than 40 percent of all the total costs 
yearly from FY 1995 to FY 2009. From FY 2006 through 
FY 2008, the average annual increase for information 
systems security was $155.11 million. In FY 2009, this cost 
decreased $74.51 million, or 2 percent. 
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Survey Results and 
Interpretation ' Industry 

To fulfill the cost reporting requirements, a joint DoD and 
industry group developed a cost collection methodology 
for those costs associated with the use and protection of 
classified information within industry. For FY 2009, the 
Defense Security Service collected industry cost data and 
provided the estimate to ISOO. 

Cost estimate data are not provided hy category because 
industry accounts for its costs differently than Government. 
Rather, a sampling method was applied that included 
volunteer companies from four different categories 
of facilities. The category of facility is based on the 



complexity of security requirements that a particular 
company must meet in order to hold and perform under a 
classified contract with a Government agency. 

The FY 2009 cost estimate totals for industry pertain to 
the twelve-month accounting period for the most recently 
completed fiscal year of the companies that were part 
of the industry sample under the National Industrial 
Security Program. 

For most of the 699 companies included in the sample, 
December 31, 2009, was the end of their fiscal year. The 
estimate of total security classification costs for FY 2009 
within industry is $1.12 billion, a decrease of $89.96 million 
from $1.21 billion for FY 2008. This is the first year since 
FY 2005 that industry costs have dropped below $1.20 billion. 




Total Costs for Government and Industry FY 1995 - FY 2009 
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Conclusion 

This year’s estimate for Government and industry shows 
an increase of $86.51 million. From FY 1995 through 
FY 2009, there was an increase of $4.33 billion in 
total costs. The increase for FY 2009 was driven by 
Government in the Personnel, Security Management, and 



Classification Management categories. These increases 
in costs come mainly from new hires, reinvestigations, 
security awareness training, and upgrade or installation 
of secure information systems. The average annual 
increase from FY 2002 through FY 2005 was $911.82 
million compared to an average annual increase of only 
$152.25 million from FY 2006 through FY 2009. 
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